Where Do Cybersecurity Professionals Come From?

Get the latest security news in your inbox.

When a momma cybersecurity professional and a papa cybersecurity professional love each other very much they hug each other in a special way to help each other make little cybersecurity professionals.

If only it were so easy we wouldn’t have nearly 2.2 million unfilled cybersecurity jobs on the horizon. We wouldn’t have millions of kids struggling with online and social media addictions on one end of the spectrum and kids with no access to the Internet on the other. So while the straight answer is, we make them, the less straight answer is how.

You see education boards and Ed.D. infused pundits like to say what we need in school like, “We must teach students to be good cyber citizens.”

Then schools answer with, “Okay, sure. We can do that.”

Then let’s take a look at the bigger picture of society in general and ask ourselves, how do we make good citizens? We’ve had hundreds of years to work on that issue and I’m happy to report in my most politically correct way that it’s still an ongoing issue of mixed success. The fact that I need to report it in a politically correct way is indicative of the results as well. So why do we think we can just do this to a microcosm like a school with the all we’ve learned on making good citizens but with a tech twist? Is it because a school is smaller? I think we can rightfully extrapolate that we think this because the smaller the size of the experiment the greater our hubris about our potential success.

School has unfortunately become a catch-all for “all the things kids should know before we unleash them on the world” and that includes a crazily enormous and diverse number of things from tying shoes to throwing a ball to polite socialization to mathematics to regional history and culture. This leads to educational board fights over whether cursive handwriting is replaced by typing or drama class is dropped in favor of multimedia class. Schools have taken over for parenting in many ways and for good reason.

Parenting has changed because society lets it or wants it to or something. Seriously, do I look like a sociologist? I’m sure you’ll find an answer as to why from someone smarter and more eloquent than me. So I can’t tell you why but I can tell you it seems to have. Teachers tell you. Parents will reluctantly tell you. People who pay teachers tell you. People without kids in school tell you. The old guy shaking his rake at you from his lawn will tell you. So even if it’s not true in the years-long study version of factual, something is definitely up.

The thing is that schools are the perfect place for grappling with things like new technologies and making better cyber citizens. Schools can get kids to pick up their toys at the end of a recess whereas most parents can’t get them to pick up their toys like ever. Schools can get teens to make schedules and stick to them where as parents and employers of teens can’t get them to even look at schedules. So it seems reasonable to many adults that schools are the only place to get kids to read and learn something that they won’t do at home.

The problem though is teaching good cyber citizens. Seriously. What does that even mean? Say it out loud and it sounds ridiculous. I’m sure it sounds good in an academic journal but as your task how would you even do that? What would you teach the tech, the cyber, the citizenship, or the good? When do you know when a student is sufficiently good at cyber citizenry and you can stop? The truth is you can’t swing a raccoon by the tail at a school board meeting and hit someone who has a clue either. And believe me I’ve tried. (Well, the raccoon didn’t cooperate so the results were a bit… mixed.)

If you disagree then let’s just make it more complicated until you see the error of your ways. There are schools that don’t have computers and the teachers don’t have access to a school network. There are schools that give every kid a computer and so in addition to having them use it for assignments are tasked with figuring out how to teach the kids to use it safely as well as how to get kids to afford all the software they’ll need to use it properly in class. There are teachers who make kids sign up to web apps so as do things they can’t afford the software for, basically selling the kid’s privacy for shiny teaching tools. There are teachers who require the kids join social networks and install chat apps to work in peer groups trading exposure to a variety of social network improprieties for teamwork-focused homework assignments. Is that enough yet?

And these are the people who will also be teaching cyber citizenry.

There is no way to teach a kid in a way that assures they will be a good cyber citizen because we don’t even know what to teach them to assure they will be good regular citizens. However, you can assure they have the knowledge to not make stupid mistakes online. You can assure that they have enough knowledge not to try anything stupid on purpose. And you can assure they get the skills they’ll need to be employable, empowered, and content. It’s not the same as assuring they'll be good cyber citizens but it at least has measurable, positive value that has shown to be acceptable enough for society.

And that’s what we can do for cyber citizenry and ultimately for cybersecurity.

Schools have a great track record preparing kids with rote knowledge and actual skills like wood working, sewing, accounting, typing, auto repair, sports, and more. There are schools that focus purely on technical skills for both blue collar jobs like machinist and white collar jobs like accountant. These have been proven to be good for students. Then there’s IBM’s introduction of new collar jobs to help make more IT and cybersecurity professionals. Where blue-collar requires technical skills and a high school degree and white-collar requires a college degree, the new collar job falls somewhere in the middle. So for something like Cybersecurity, a new collar job, college isn’t required but skills certainly are and certifications can be used to fill in for any education gaps.

Now when I say these have brought success for students I mean it. Schools though, not so much. Schools are often rated on how many kids attend each day, their grades on standardized tests, and how many go on to college. They aren’t rated on how many graduating students vote in all elections, pay their bills on time every month, have no felonies, or anything else that might show that the school prepared them for the real world and not just for college or the town factory. And school ratings turn into school money and school employee salaries. So the incentive is small for schools to change the focus on anything that detracts from kids passing the state tests, spend time out of school seats, or from going to college. Which aren’t counter but also not conducive to making cybersecurity professionals. Add to that what I mentioned about the school not having resources, computers, networks, or time to spare and you’ll understand why so many don’t.

This problem isn’t lost on parents. Most of all cybersecurity parents who want more for their kids. The RSA Security conference dedicates a full day workshop and a section of floor space to Cybersafe Kids. They even invite teens to talk about their cybersafety problems. There the researchers of a half dozen cybersafety organizations like Hacker Highschool meet with thousands of parents over the 4 days who are all very concerned about the cybersafety of their own kids and how they can foster their education to be the next cybersecurity professionals. So be sure that the problem is well known to parents.

So that leaves us back at where do cybersecurity professionals come from?

Right now, they’re mainly coming out of pop culture. Some teens are driven towards being an iconic hacker as much as they are trying to be an influencer, a world-class gamer, or a Youtube star. This is how they even learn about cybersecurity at all. We have no idea how many follow this dream and end up in some form of cybersecurity whether defending servers, penetration testing, or bug hunting. But we do know that for a teen to go from idea to execution requires anywhere from four to eight years of staying on track. Which is hard for anyone but teens tend to be in a much more volatile state of growth and change. So don’t count on organic growth here.

So where do cybersecurity professionals come from? We make them. And we need to get on it because there’s no stork that’s going to be dropping them off any time soon.

About the Author:Pete HerzogPete Herzog is the shining example of a hacker trying to fix the
world. He built a career out of taking apart the security world piece
by piece to figure out how it works (but he still can’t put it back
together). Then he writes about it, a lot. You can find articles and
projects from him all over the place, especially at the non-profit
research organization, The Institute for Security and Open
Methodologies (ISECOM), he co-founded in 2001 to help make this
happen. There you’ll find his work with the Open Source Security
Testing Methodology Manual (OSSTMM), Hacker Highschool, and the
Cybersecurity Playbook as well as work in trust metrics,
authentication, social engineering, vulnerabilities, risk analysis,
and so much more. Pete also teaches training classes, coaches
corporations on cybersecurity, analyzes the security for Smart Cities,
develops security products, advises start-ups, and hacks things.
Read more posts from Pete Herzog ›